From 2c6597062b58ee67202b761fc14928c27db7abd4 Mon Sep 17 00:00:00 2001 From: continuist Date: Sat, 28 Jun 2025 23:12:33 -0400 Subject: [PATCH] Try to fix problem of registry being inaccessible --- CI_CD_PIPELINE_SETUP_GUIDE.md | 2 ++ registry/docker-compose.yml | 1 + registry/nginx.conf | 66 ++++++++++++++++++++++++++++++++++- 3 files changed, 68 insertions(+), 1 deletion(-) diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index 411cc51..566f8a6 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -546,6 +546,8 @@ docker compose up -d exit ``` +**Important**: The registry uses standard authentication, but nginx provides intelligent routing to enable public read access for specific operations (manifests, blobs, tags) while requiring authentication for write operations (push, delete). This implements the "public read, authenticated write" model through nginx configuration. + #### 5.7 Test Registry Setup ```bash diff --git a/registry/docker-compose.yml b/registry/docker-compose.yml index 3eadc97..7f7f070 100644 --- a/registry/docker-compose.yml +++ b/registry/docker-compose.yml @@ -41,6 +41,7 @@ services: - "8080:443" volumes: - /etc/ssl/registry:/etc/nginx/ssl:ro + - /etc/registry/auth/auth.htpasswd:/etc/nginx/auth/auth.htpasswd:ro - /opt/APP_NAME/registry/nginx.conf:/etc/nginx/nginx.conf:ro depends_on: - registry-ui diff --git a/registry/nginx.conf b/registry/nginx.conf index e11b129..3596ba1 100644 --- a/registry/nginx.conf +++ b/registry/nginx.conf @@ -20,8 +20,72 @@ http { ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; - # Proxy registry API requests + # Block all non-GET requests to public endpoints + location ~ ^/v2/([^/]+)/manifests/ { + limit_except GET { + deny all; + } + proxy_pass https://registry_api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 30s; + proxy_send_timeout 30s; + proxy_read_timeout 30s; + proxy_ssl_verify off; + } + + location ~ ^/v2/([^/]+)/blobs/ { + limit_except GET { + deny all; + } + proxy_pass https://registry_api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 30s; + proxy_send_timeout 30s; + proxy_read_timeout 30s; + proxy_ssl_verify off; + } + + location ~ ^/v2/([^/]+)/tags/list { + limit_except GET { + deny all; + } + proxy_pass https://registry_api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 30s; + proxy_send_timeout 30s; + proxy_read_timeout 30s; + proxy_ssl_verify off; + } + + location /v2/_catalog { + limit_except GET { + deny all; + } + proxy_pass https://registry_api; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 30s; + proxy_send_timeout 30s; + proxy_read_timeout 30s; + proxy_ssl_verify off; + } + + # Require authentication for all other registry operations location /v2/ { + auth_basic "Registry Realm"; + auth_basic_user_file /etc/nginx/auth/auth.htpasswd; + proxy_pass https://registry_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr;